Data security 'flouted by workers'

Unfortunately, our studies have also shown that it often takes a data breach incident before an organisation will finally get their wake-up call and take data security seriously.

I don't understand why this surprises us when we behave the same way in the real world. Take traffic lights (and other transportation related changes) for example: I've seen too many cases where it takes a traffic fatality before people and the transportation authority (in the US, the Department of Transportation) decide to implement additional controls (i.e. traffic lights or other roadway improvements).

2 comments:

You forgot about cost justification. Most people won't initiate any security initiatives until an outage, attack, or outbreak impacts their bottom line.

Information Security has at least made it from the back room to the board room. And those in the board room are extremely concerned about how much money an incident cost them. If the focus towards security is measured as a cost to prevent the cumulative cost from an incident, then the you will win the backing of the higher management teams.

Let's face it, they don't care about the bells and whistles, they just want to know that the money spent is going to keep the company name, and theirs, from being in the media for a breach/incident.

Dennis's point about cost justification reinforces the first bullet point in my original post. Without appropriate support for Information security, companies are locked in a reactive cycle of risk management.

In order to evolve from a reactive stance (event occurs, costs incurred, security gets management's attention) to a pro-active stance (i.e. actively track and manage risks), executive management and information security have to improve their ability to communicate.

In a perfect world, both sides would modify the way they communicate to reach each other. In practice, the information security side has to find the right approach to reach their management's attention to appropriately convey the business impact of non-action.

Important Links

Dr.InfoSec

Connect with me

About Me

Chris, aka Dr.InfoSec, is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people.Whether performing information security risk assessments, working alongside CIOs & CISOs to set and communicate strategic security priorities, or advising board members on effective governance of cyber risks, Chris enjoys working with business leaders to improve their organization's cyber risk posture.

Disclaimer

The views and opinions expressed here are those of Dr. Veltsos only and in no way represent the views, positions, or opinions of any previous, current, or future employers, clients, or associates.

All content on this blog is provided as general information and is for educational purposes only. It should not be construed as professional advice or guidance. All trademarks and copyrights on this blog belong to their respective owners.